diff --git a/.github/workflows/cleanup-python.yml b/.github/workflows/cleanup-python.yml
index 3bcac75e1..8df887a09 100644
--- a/.github/workflows/cleanup-python.yml
+++ b/.github/workflows/cleanup-python.yml
@@ -1,4 +1,4 @@
-name: Cleanup dev versions on TestPyPI
+name: cleanup python
 
 on:
   workflow_dispatch:
@@ -29,7 +29,7 @@ jobs:
             --username "$PYPI_USERNAME" \
             --password "$PYPI_PASSWORD" \
             --repository-url https://test.pypi.org/legacy/ \
-            --project libnvme \
+            --package libnvme \
             --keep ${{ github.event.inputs.keep-last }} \
             --version-regex '.*\.dev[0-9]+' \
             $([ "${{ github.event.inputs.dry-run }}" == "true" ] && echo "--dry-run")
diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml
index 318b42795..03f5650ad 100644
--- a/.github/workflows/release-python.yml
+++ b/.github/workflows/release-python.yml
@@ -24,27 +24,29 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Allow workspace
-        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
+        run: |
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
 
       - name: Build sdist
-        run: pipx run build --sdist
+        run: |
+          pipx run build --sdist
 
       - name: Validate sdist
-        run: pipx run twine check dist/*.tar.gz
+        run: |
+          pipx run twine check dist/*.tar.gz
 
       - uses: actions/upload-artifact@v4
         with:
           path: dist/*.tar.gz
           retention-days: 5
 
-  upload_test_pypi:
-    needs: [build_sdist]
+  build_test_sdist:
+    name: Build test source distribution
     runs-on: ubuntu-latest
     env:
       PYTHON_VERSION: "3.10"
-    environment: pypi
-    permissions:
-      id-token: write
+    container:
+      image: ghcr.io/linux-nvme/debian.python:latest
     steps:
       - name: Check out repository (with tags)
         uses: actions/checkout@v4
@@ -52,16 +54,8 @@ jobs:
           fetch-depth: 0  # Required for `git describe`
 
       - name: Allow workspace
-        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
-
-      - uses: actions/download-artifact@v4
-        with:
-          name: artifact
-          path: dist
-
-      - name: Extract sdist for patching
         run: |
-          mkdir sdist && tar -xzf dist/*.tar.gz -C sdist --strip-components=1
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
 
       - name: Compute dev version from git
         id: version
@@ -75,16 +69,36 @@ jobs:
 
       - name: Patch version in pyproject.toml
         run: |
-          sed -i "s/^version = .*/version = \"${{ steps.version.outputs.dev_version }}\"/" sdist/pyproject.toml
+          sed -i "s/^version = .*/version = \"${{ steps.version.outputs.dev_version }}\"/" pyproject.toml
 
-      - name: Rebuild sdist with dev version
+      - name: Build sdist
         run: |
-          cd sdist
           pipx run build --sdist
-          mv dist/*.tar.gz ../dist/
 
-      - name: Validate rebuilt sdist
-        run: pipx run twine check dist/*.tar.gz
+      - name: Validate sdist
+        run: |
+          pipx run twine check dist/*.tar.gz
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: test_pypi
+          path: dist/*.tar.gz
+          retention-days: 5
+
+  upload_test_pypi:
+    needs: [build_test_sdist]
+    runs-on: ubuntu-latest
+    env:
+      PYTHON_VERSION: "3.10"
+    environment: pypi
+    permissions:
+      id-token: write
+    if: github.repository == 'linux-nvme/libnvme'
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: test_pypi
+          path: dist
 
       - name: Publish package to TestPyPI
         uses: pypa/gh-action-pypi-publish@v1.12.4